Skip to content

Virtual Switch (VDE)

VM networking with a VDE device.

You create a switch and connect to it a tap device and multiple VMs. To access to the internet you need a firewall to route traffic from ensp3s0/eth0 to tap0.

The firewall applies to tap0.

Software needed

vde2 and iptables.

Optional dnsmasq . 

sudo pacman -S vde2 dnsmasq iptables

Load the tun kernel module. 

sudo modprobe tun

Create the tap

sudo tunctl -u <USER>
sudo ip addr add dev tap0 10.10.10.1/24
sudo ip link set dev tap0 up

Route the traffic.

iptables -A INPUT -i tap0 -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A INPUT -i tap0 -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -i tap0 -p udp -m udp --dport 67 -j ACCEPT
iptables -A FORWARD -o tap0 -j ACCEPT
iptables -A FORWARD -i tap0 -j ACCEPT
iptables -A OUTPUT -o tap0 -p tcp -m tcp --sport 53 -j ACCEPT
iptables -A OUTPUT -o tap0 -p udp -m udp --sport 53 -j ACCEPT
iptables -A OUTPUT -o tap0 -p udp -m udp --sport 67 -j ACCEPT

Start the Switch

This will create the switch; it looks like it's stuck, just pres enter and you will be presented with a prompt vde$ 

vde_switch -s /tmp/switch1 -tap tap0

DHCP

Make sure /etc/dnsmasq.conf is empty or doesn't exists or it's commented out. Also you can use this file for configuring it insted of using a command. You can also change the IPs. 

# dnsmasq --listen-address=10.10.10.1 --dhcp-range=10.10.10.10,10.10.10.200,12h --interface=tap0 --except-interface=lo,enp3s0 --dhcp-option=3,10.10.10.1 --dhcp-option=6,1.1.1.1,1.0.0.1

Configure the network in the host. If for whatever reason you don't want a fucking DHCP.

IP: 10.10.10.10/24
Gateway: 10.10.10.1

remove network

vde$ shutdown
# killall dnsmasq
# ip link set dev tap0 down
# tunctl -d tap0

QEMU shit (Different MAC addresses for every VM)

Diferent MAC addresses for every VM. 

-net nic,macaddr=e0:d5:5e:65:a3:01 \
-net vde,sock=/tmp/switch1 \

Helpful commands

vde$ port/allprint
vde$ shutdown

Bridge for everyone

This solution does have problems or misconfigurations. I didn't finished configuring it. Be careful.

Create a bridge and connect the Linux network stack to it along with the VMs.

You will no longer use the interface directly but rather use the bridge to go out.

A bridge to connect everything and a tap to connect each VM. Yes, each.

Works as a way of connecting directly to the computer network. It does not create another virtual network that is connected to the internet

enp3s0 is my network interface, yours may be eth0.

You need to create a tap for every VM and add it to the bridge.

Software needed

DUNNO.

You may need to load the tun kernel module 

# modprobe tun

Create the bridge

# brctl addbr br0

Create the tap

# tunctl -u <USER>
## ifconfig tap0 10.10.10.2 netmask 255.255.255.0

Add the interfaces to the bridge

# brctl addif br0 enp3s0
# brctl addif br0 tap0

Raise the interfaces and get an IP in br0

\\ Give an IP to the bridge
# ip addr add dev br0 10.10.10.1/24
-----------------------------------
\\ Rise the interfaces
# ip link set dev br0 up
# ip link set dev enp3s0 up
# ip link set dev tap0 up
-------------------------
\\ Get an IP for the bridge
# dhclient br0

[Optional] Show the bridge

$ brctl show

Update the config in shorewall and restart shorewall

This does NOT apply to everyone. You may need IPtables rules. Or not, I don't know how this works. I don't even know if this (firewall) does something to the bridge. 

# shorewall restart /etc/shorewall

Start a DHCP server on the tap bridge

Make sure /etc/dnsmasq.conf is empty or doesn't exists or it's commented out. Also you can use this file for configuring it insted of using a command. You can also change the IPs. 

# sudo dnsmasq --listen-address=10.10.10.1 --dhcp-range=10.10.10.10,10.10.10.200,12h --interface=br0 --except-interface=lo,enp3s0 --dhcp-option=3,10.10.10.1 --dhcp-option=6,1.1.1.1,1.0.0.1

Shit in QEMU

-device virtio-net-pci,netdev=net0 -netdev tap,id=net0,ifname=tap0,script=no,downscript=no,vhost=on \

Remove bridge and restore network

# ip link set dev br0 down
# ip link set dev enp3s0 down
# ip link set dev tap0 down
# brctl delif br0 enp3s0
# brctl delif br0 tap0
# tunctl -d tap0
# brctl delbr br0
# dhclient enp3s0

Other commands

$ nmcli d
$ nmcli c
$ route -n
# ip tuntap add mode tap tap0
$ ifconfig

HOW this SHIT works. Maybe, I'm no expert.

Application -> IP Stack -> Bridge (br0) -> Internet
VM -> Bridge (br0) -> Internet

Routed Tap

Create a tap device and route traffic to it with a firewall like IPTables.

To achieve: tap to QEMU and route with IPtables/Shorewall.

No bridge no bullshit.

Still, you need to create a tap for every VM and route the traffic in the firewall.

Software needed

DUNNO.

You may need to load the tun kernel module 

# modprobe tun

Create the tap

# tunctl -u <USER>
# ip addr add dev tap0 10.10.10.1/24
# ip link set dev tap0 up

Start a DHCP server on the tap

Make sure /etc/dnsmasq.conf is empty or doesn't exists or it's commented out. Also you can use this file for configuring it insted of using a command. You can also change the IPs. 

# dnsmasq --listen-address=10.10.10.1 --dhcp-range=10.10.10.10,10.10.10.200,12h --interface=tap0 --except-interface=lo,enp3s0 --dhcp-option=3,10.10.10.1 --dhcp-option=6,1.1.1.1,1.0.0.1

Update the config in shorewall and restart shorewall

This does NOT apply to everyone. You may need IPtables rules. Or not, I don't know how this works. 

# shorewall restart /etc/shorewall

Shit in QEMU

-device virtio-net-pci,netdev=net0 -netdev tap,id=net0,ifname=tap0,script=no,downscript=no,vhost=on \

remove network

# killall dnsmasq
# ip link set dev tap0 down
# tunctl -d tap0

other commands

\\ Check if dnsmasq is running and where
ss -nualp

There is also another way with OVS (Open Virtual Switch)

https://ninefinity.org/post/openvswitch-for-libvirt-on-arch-linux/

https://bbs.archlinux.org/viewtopic.php?id=159941